a guide to gdpr - source insurance
TRANSCRIPT
A GUIDE TO
GDPR Read time: 5 mins
How are youHelloHi Hello
This eBook is brought to you by
Phil LewisHead of HR and Compliance
GDPR can seem like a never ending task to overcome, however, in spite
of what many other people say, GDPR doesn’t need to be a daunting
topic for you and your business.
This eBook has been put together to help highlight some of the most
important aspects of UK GDPR and how to apply these regulations to
your everyday role.
Connect on LinkedInClick here
HiHow are you Hi there
HeyHello
Hi How are you Hi thereHello,
Please note: Nothing in this article constitutes legal advice. You are free to choose whether or not
to use it and it should not be considered a substitute for seeking professional legal help in specific
circumstances.
How are you
Connect on LinkedInClick here
HiHi there
Hi there
THE WORLD IN1998It was the year that both Windows98 and Google were launched.
The biggest films of the year were Titanic, Armageddon and, a
personal favourite of mine, There’s Something About Mary. Perhaps
unsurprisingly, the top hits included I Don’t Want to Miss a Thing by
Aerosmith, My Heart Will Go On by Celine Dion, and Viva Forever
by The Spice Girls.
Aside from the pop culture trends, a lot has changed in the last
three decades. There was no broadband internet in 1998. In fact,
only 9% of households in the UK had internet access in 1998. By
way of comparison, as of 2020, that figure stands at 96%.
View stats here.
Social media was non-existent; no Facebook, Twitter or Snapchat.
Mobile phones were more like bricks, and could only be used to
make actual phone calls (and potentially play Snake!).
This was the world that the Data Protection Act (DPA) was designed
for.
The UK General Data Protection Regulations (UK GDPR) is a
wholesale overhaul of the previous DPA. It was created to
recognise the rise of the internet and the increased availability
of email, both of which have had a massive impact on how
companies use (and sometimes abuse) personal data. It is also
worth noting that there is a sister piece of legislation, the Privacy
and Electronic Communications Act (PECR), also known as the
ePrivacy Regulations (ePR). This Act has been updated a number
of times to take account of advances in technology.
You can find the most up to date information on the ICO website.
OVERVIEW:REGULATORY HIGHLIGHTS
Under UK GDPR, there are also categories of “Sensitive Personal
Data”, which can only be processed in limited circumstances. As a
broker, you will need to be mindful that some of the information
you collect will be considered “Sensitive Personal Data”.
For example, if you are collecting information about medical
conditions for insurance purposes or if you photocopy passports
to satisfy KYC requirements (as passports contain racial/ethnic
information, which is classified as Sensitive Personal Data). Extra
safeguards apply to anybody processing sensitive personal data, so
there are just a few extra steps you’ll need to take in order to be
fully compliant with UK GDPR.
WHAT IS PERSONAL DATA?
Under UK GDPR, there is a new definition of
‘Personal Data’ which has a wider reach than
the previous definition under the DPA. The
new definition includes online identifiers such
as IP addresses and website cookies, alongside
more expected details such as names and
addresses.
WHAT IS personal DATA?
sensitive
GDPR applies to anyone dealing with client data. One of the first
things to determine is whether you are a data controller or a data
processor.
If you make decisions about how personal data is processed (for
example, if you decide which insurers/platforms/lenders to send
personal data to in order to get a quote, policy or mortgage), then
it’s likely that you will be a data controller. As a data controller, your
obligation is to ensure your contracts with processors comply with
the UK GDPR and you are not relieved of your obligations where a
processor is involved.
A data processor acts on behalf of and under the instruction of a
data controller. If this applies to you, the UK GDPR places specific
responsibilities on you, such as maintaining records of the personal
data and your processing activities.
You will have legal liability if you are responsible for a breach.
The ICO sets out the specifics here.
WHO DOES GDPR APPLY TO?
CONSUMER RIGHTS
The right to be given accurate information
about how their data is used and why. This is
what you should set out in your Privacy Policy.
THE RIGHT TO BE informed
The right to access their own personal data
at any time. For example, via a Subject Access
Request (or SAR).
THE RIGHT OF access
The right to have any inaccurate or incomplete
information rectified and updated. A client can
request this verbally or in writing.
THE RIGHT TO rectification
The right to request to have their data deleted,
if for a justifiable reason. You also have the
right to refuse this if you have a justifiable
reason, such as a legal obligation.
THE RIGHT TO erasure
The right to restrict the processing of their data.
In this instance, you may store your client’s
data, but not process it, unless you have their
consent or a legal or public interest.
THE RIGHT TO RESTRICTprocessing
The right to request their personal data in a
structured and commonly used format. Your
client can request their data be transferred to
themselves, or directly to another controller.
THE RIGHT TO DATAportability
The right to object to the processing of their
data. Your client can ask you to stop processing
their data altogether or for a specific purpose,
such as direct marketing.
THE RIGHT TO object
The right to not be subject to a decision, based
solely on automated processing. For example,
if your client was declined an insurance
policy or mortgage based on an automated
underwriting algorithm, they could request a
manual review.
RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND profiling
CONSUMER RIGHTSIn most instances you have 30 days to process a client’s request,
under each of these rights.
GDPR has updated people’s rights to be more reflective of the fact
that personal data is, generally speaking, kept in electronic formats
these days. Some of these rights, such as the ‘right to be forgotten’
and the ‘right to data portability’, are explicit acknowledgements
that personal data ‘belongs’ to the subject of that data, and so they
should have an active say in who uses it and how.
One of the other big changes that came along with GDPR (and the
ePR), is around consent. Under the DPA, pre-ticked boxes to give
consent were allowed, and as such many people’s inboxes are
regularly filled up with marketing emails. Under UK GDPR, consent
must be “freely given, specific, informed and unambiguous”. This
means that pre-ticked boxes or implicit consent will no longer be
allowed, and people will have to actively choose to provide consent
for their personal data to be processed.
Additionally, consent can be withdrawn at any time, so it is important
that clear and flexible records of consent are maintained, in order
to allow people to withdraw their consent at any point after it has
been given.
Read in further detail here.
Failure to comply with the UK GDPR principles will leave
you open to the highest tier of administrative fine - up to 20
million euros or 4% of your annual global turnover, whichever
is higher. It’s vital that you are up to date with legislation and
your regulatory requirements, not only to provide
your clients with the best service, but also to
avoid the fines associated with
non-compliance breaches.
PENALTIES FOR NON COMPLIANCE
3TOP TIPSFOR BROKERS
The ICO’s website is an adequate source of
information for all brokers looking to remain
compliant with UK GDPR. It’s a little dry, which
is not surprising given the subject matter, but
it is very helpful and the whole GDPR section
could be read in just a few hours.
DO YOUR research
Use the GDPR checklist which is available (for
free) on the ICO website. It will help you to
target the areas which require your attention
in order to be compliant.
ADHERE TO A checklist
Go to the ICO’s website >
Download your relevant ICO checklist >
Under CPD requirements, brokers must have
necessary knowledge of regulations. Use this
as an opportunity to ensure your staff are up
to date on the latest UK GDPR requirements,
whilst helping towards achieving their overall
CPD goal.
EDUCATE YOUR staff
RSM SUPPORT Here at Source, we have dedicated Regional Sales Managers (RSMs)
covering all areas of the UK, to offer you the support you need with
General Insurance (GI). After reading this guide we hope you now
have a good idea of the necessary requirements for your business
and the confidence to apply the regulations to your role.
If you have any queries please contact your RSM, who will be happy
to discuss this further with you, and provide practical examples and
advice.
You can arrange an appointment by calling one of our team on
02920 265 265 today.
Finally, if you are aware of other intermediaries who may find this
information useful, feel free to share this eBook with them!
Complete our GDPR LearningLab module >
Source Insurance Limited | Registered in England & Wales no. 2864963Authorised and regulated by the Financial Conduct Authority.
Your General Insurance Experts